Snort mailing list archives
Re: Snort-sigs Digest, Vol 35, Issue 19
From: Bình Nguyễn via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 24 Apr 2020 09:15:08 +0700
We are using Antispam Baracuda to handle all spam emails into our system. I think it works very well. please remove this IP again. thanks Vào Th 4, 22 thg 4, 2020 vào lúc 23:01 <snort-sigs-request () lists snort org> đã viết:
Send Snort-sigs mailing list submissions to
snort-sigs () lists snort org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.snort.org/mailman/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
snort-sigs-request () lists snort org
You can reach the person managing the list at
snort-sigs-owner () lists snort org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."
Today's Topics:
1. Re: False positives(?) for spp_sip (Nitish Hejmadi)
2. Snort Subscriber Rules Update 2020-04-21 (Research)
---------- Forwarded message ----------
From: Nitish Hejmadi <nitishh () gmail com>
To: "Pettersson, Emil" <emil.pettersson () sovos com>
Cc: "snort-sigs () lists snort org" <snort-sigs () lists snort org>
Bcc:
Date: Mon, 20 Apr 2020 11:15:13 -0400
Subject: Re: [Snort-sigs] False positives(?) for spp_sip
Could be Mis- configuration of Voip or video conferencing from clients
side . Considering how many people are doing that now days .
We seen a lot of blocks on our VC too
Just for safety I run the blocked IP address through a automated threat
hunting tool to make sure they are not targeting any other resources or
services
*Nitish Hejmadi*
Founder & Strategist
*T* *416 620 5535 <416%20620%205535> *
*www.honeyteksystems.com <https://honeyteksystems.com/home>*
On Apr 17, 2020, at 9:08 AM, Pettersson, Emil <emil.pettersson () sovos com>
wrote:
Hi,
We’ve been getting a few blocks for traffic from customers, from looking
into the logs if I’m understanding correctly these are getting caught by
spp_sip due to traffic in these instances having source port 5060 (they’re
doing a few thousand/day with random source port span).
*Apr 17 09:33:31 snort[17881]: [140:3:2] (spp_sip) URI is too long
[Classification: Potentially Bad Traffic] [Priority: 2] {TCP}
[SOURCE_IP]:5060 -> [DESTINATION_IP]:443*
There is no actual SIP traffic expected to go in or out from this network,
so regardless of anything else I believe there’s no real reason to have
these rules enabled? However I am unsure of what the correct way would be
to disable them?
- This message and any attachments thereto contain information that may be
privileged, confidential or otherwise protected from disclosure and is the
property of Sovos Compliance, LLC. It is intended only for the person to
whom it is addressed. If you are not the intended recipient, you are not
authorized to read, print, retain, copy, disseminate, distribute, or use
this message, any attachments thereto or any part thereof. If you receive
this message in error, please delete all copies of this message and
attachments. Sovos Compliance, LLC. has implemented anti-virus software on
its computers and servers, however, it is the recipient's own
responsibility to ensure that all attachments are scanned for viruses prior
to usage. _______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
---------- Forwarded message ----------
From: Research <research () sourcefire com>
To: snort-sigs () lists snort org, shesu () sourcefire com
Cc:
Bcc:
Date: Tue, 21 Apr 2020 20:24:33 GMT
Subject: [Snort-sigs] Snort Subscriber Rules Update 2020-04-21
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Talos Snort Subscriber Rules Update
Synopsis:
This release adds and modifies rules in several categories.
Details:
Talos has added and modified multiple rules in the server-webapp rule
sets to provide coverage for recently released 0-day vulnerabilities in
IBM's Data Risk Manager product. SIDs 53733-53735.
For a complete list of new and modified rules please see:
https://www.snort.org/advisories
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJen1Z/AAoJEPE/nha8pb+tiikP/1etyXvV43gMIMPjdtBzv791
b3ziH3TL0vXrySUy+2I1A5TAvZ6iuqk5+8iPEfYtgdGvtpQGgUIxyCU0tX+AxBoC
UjQGdiXVljbGmXIksk4cq3C6ETW4FeRLhJc0M/h9fYZsxnvjpazKtb7xnpW6kTTO
54lXTbMfS03F8fD1YD85+IsIB91rj7E7DE7B2RQ5E8iOD/gVljdjFne6Mv94xAN+
/ze2DXWbChGez4bisMfHRe/Oeb/zxEzha1RxG8b/IOUZoLNnskiNoCV0WfravdQ8
mIEfLhBWiqjmDe3HaQLVtO165GTv85r+uB88pnef1gpGHKVRKIB1rDnpW362KLXy
sA/gJZeLWpNby95sJEaqe2CoZv6/vdniagIISVmqa2kpqz6GTHGnzkFI1p66F8mC
/tsJBS0PkqrWvH//FtotR0MrdlNBJr9jlWI15POXV+1d2Cj+pdmvb+C/kkA2f/Ky
0gIc2jbW6Ue1TaXwheIntwbqhUrO3UagsupSoAIxnpMaceLRDSm4CK5GpPY6H778
KZM460YYq4uOIPB711PB9EDrtKMZ2kYPgwVutTbZpUiDopiy0Q0qvHNVPlvsLY5r
bjwYYIUClsyluxtCvnnaojtTu77NmoI+05Knbw7IcBdXqVOxFI67wAw/1DN4yn2j
0BQ5yBg3S+vt6G4Pgkcu
=SAjv
-----END PGP SIGNATURE-----
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs
http://www.snort.org
Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette
Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Re: Snort-sigs Digest, Vol 35, Issue 19 Bình Nguyễn via Snort-sigs (Apr 23)